Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Network Security 2006 (Las Vegas, Oct. 1-8) is the only place to find all 20 of SANS highest rated teachers. How Good Are The Courses at SANS Network Security 2006? Ask the alumni. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense See: http://www.sans.org/ns2006/caag.php

TOP OF THE NEWS

IT Security Industry Changes: Trouble on the Horizon (September 2006)

As companies complete SOX and GLBA compliance efforts they are often reorganizing and managers and consultants with soft skills are being let go, but maturing regulation isn't the only factor impacting job prospects. The emergence of regulatory requirements within the last several years initially provided numerous jobs and comfortable budgets for IT managers and consultants. However, once "what it takes to comply" with the regulations became clearer, executives began to tire of spending money on overpriced consultants and unnecessary reports. Budget growth slowed, and some security managers were reorganized into positions of diminished power. Additionally, certain IT organizational best practices and standards encourage restructuring that sometimes "relegate(s) security to a second-class activity." Finally, there has been a recent movement toward personal accountability for IT systems' security, often meaning people lose jobs in the event of a security breach. On the other hand, IT security management jobs within the government and government contractors appear to be relatively secure in the near term. This can be attributed largely to the implementation of the Federal Information Security Management Act (FISMA) and its attendant demand for voluminous reports on government IT systems' compliance. Even here, however, "change seems to be in the air" as government officials begin to question FISMA's efficacy. Several strategies that can be used by private and government security managers to increase their chances of holding onto their jobs, are described in the article written by Stephen Northcutt. -http://www.sans.edu/resources/ITSecurityIndustryChanges.pdf[Editor's Note (Schultz): FISMA's value is very much open to question. FISMA compliance is, unfortunately, more of a bureaucratic paper creation and shuffling exercise than anything else. I know of a government laboratory with terrible security practices--it has more security breaches than any other site operated by a certain government agency--yet this laboratory got very high marks on a recent FISMA audit. (Pescatore): I think a real key to making sure you protect customer and business data, which in turn leads to keeping your job, is to make sure you have a "network of friends" in your company. Having a network of trust with compadres in the audit and financial groups, as well as the business units, is the best way to make sure security is part of all those informal processes where the actual work (not just what gets presented to auditors) gets done. Being part of a "hallway design review" to make sure security is baked in somewhere is infinitely more valuable than just being able to point at policies, procedures and processes - not that there's anything wrong with those. ]

Credit Card Companies Update PCI (8 September 2006)

The five major credit card companies, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, have formed the Payment Card Industry Security Standards Council, marking the first time all have agreed on a common framework for payment card security. Their first order of business was to update the current PCI Data Security Standard by providing instructions for implementing the requirements and clarifying the language, for instance, replacing vague terms, such as "regularly," with specifics, such as "annually" or "quarterly." The council's goal is "to enhance payment account security by fostering broad adoption of the PCI Data Security Standard." -http://www.zdnet.co.uk/print/?TYPE=story&AT=39282935-39020645t-10000019c-https://www.pcisecuritystandards.org/about/faqs.htm#pcidss[Editor's Note (Paller): The PCI updates were needed. Great job. ]************************** Sponsored Links: *****************************

SPYWARE, SPAM & PHISHING

A Queensland Australia company is suffering from the fallout of a spam attack that spoofed its good name. Clients of the National Online Talent Management (NOTM) agency as well as people unfamiliar with the company have deluged it with angry email messages about unsolicited commercial email that appeared to come from NOTM. The phony email had copied large portions of text from a legitimate NOTM email. NOTM is unsure how to repair its professional relationships and redeem its reputation. The individuals responsible for the phony email messages reside outside of Australia. -http://www.zdnet.com.au/news/security/soa/Qld_firm_s_reputation_ruined_by_e_mail_scam/0,130061744,339270871,00.htm

US$2 Million Fine for Malware Spreaders (8 & 6 September 2006)

Two California companies and three individuals have agreed to pay a US$2 million fine to settle Federal Trade Commission (FTC) charges of false and deceptive practices. Enternet Media, Conspy & Co, Lida Rohbani, Nima Hakimi and Baback Hakimi ran a scheme that purported to offer antivirus and antispam protection, but actually downloaded malware onto people's computers. Computer users would receive a pop-up ad warning them of problems with their browsers and offering free protection. Users who declined the download kept receiving the pop-up ad. People who downloaded the protection found their computers infested with hard-to-remove spyware and tracking software. The defendants used additional tactics to trick people into downloading the malware onto their computers, including offering free music files, cell phone ring tones and wallpaper. The terms of the settlement permanently bar the defendants from interfering with a consumer's computer use. The FTC estimates that as many as 18 million computers worldwide were infected with malware as a result of these schemes. -http://www.internetnews.com/bus-news/article.php/3630621-http://www.theage.com.au/news/security/spyware-affected-18m-computer-users/2006/09/08/1157222295731.html?page=fullpage#contentSwap1

MISCELLANEOUS

Update today: Chairwoman Dunn will step down from her current position but stay on the board. CEO Mark Hurd will take over as Chairman of the Board. -http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=192701297 Members of Hewlett Packard's board of directors were not the only ones whose private phone records were obtained through deceptive means. California's attorney general says that private investigators hired by HP to find out who leaked confidential company information to the media also obtained phone records of nine journalists, including two CNET journalists who covered the story in January 2006. The records were obtained through a method known as pretexting, in which the person seeking the records pretends to be the account holder. As of mid-day Monday, HP's board of directors had not released any sort of decision regarding the fate of chairwoman Patricia Dunn, who ordered the investigation. The board was expected to meet again Monday afternoon. -http://www.silicon.com/cxoextra/0,3800005419,39162207,00.htm

Phone Companies Need to Address Account Security (11 September 2006)

HP's recent revelation that it authorized an investigation that employed deceptive means to obtain individuals' phone records serves as a reminder that phone companies need to take more precautions to safeguard their customers' data. Several months ago, news stories described how phone records were being offered for sale on the Internet. In response, US lawmakers introduced legislation that would criminalize pretexting, or pretending to be someone you are not to obtain that person's records. Authentication methods for accessing phone records typically require knowledge of the phone number and the last four digits of that individual's Social Security number (SSN). Customers are encouraged to create individualized passwords, but this is not often a requirement. There are some exceptions; one company requires the person requesting access to the record to provide information printed on the bill or to answer questions pertaining to that specific account. Other ideas for tightening the reins of security include calling back the individuals requesting access and notifying customers by email or text messaging when their accounts are being accessed. -http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39434572-39000005cThe Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit